Imunify360 Bug Leaves Linux Web Servers Open to Code Execution, Takeover

CloudLinux’s security platform for Linux-based websites and web servers contains a high-severity PHP deserialization bug.

A high-severity security vulnerability in CloudLinux’s Imunify360 cybersecurity platform could lead to arbitrary code execution and web-server takeover, according to researchers.

Imunify360 is a security platform for Linux-based web servers that allows users to configure various settings for real-time website protection and web-server security. It offers an advanced firewall, intrusion detection and prevention, antivirus and antimalware scanning, automatic kernel patch updates, and a web-host panel integration for managing it all.

According to researchers at Cisco Talos, the bug (CVE-2021-21956) specifically resides in the Ai-Bolit scanning functionality of the Imunift360, which allows webmasters and site administrators to search for viruses, vulnerabilities and malware code.

Infosec Insiders Newsletter

The bug, which rates 8.2 out of 10 on the CVSSv3.0 vulnerability-severity scale, can lead to a deserialization condition with controllable data that would allow an attacker to then execute arbitrary code.

“A PHP unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.8 and 5.9,” according to a posting from the firm, issued on Monday.

It added, “To be more precise…inside the Deobfuscator class, ai-bolit-hoster.php keeps a list of signatures (regex) representing code patterns generated by common obfuscators…When a certain signature (regex) is inside a scanned file, the proper de-obfuscation handler is executed, which tries to pull out essential data from the obfuscated code.”

This handler, called “decodedFileGetContentsWithFunc,” contains a call to the unserialize function – however, there’s no input sanitization to check whether the function’s input data is malicious, thus giving an attacker an opportunity to execute arbitrary code during unserialization.

By default, the Ai-Boilt scanner is installed as a service and works with root privileges, which would give a successful attacker full control.


“A specially crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability,” according to Cisco Talos’ analysis (which also contains a proof-of-concept exploit).

In practice, there are a couple of ways for an attacker to carry out an exploit in the real world, researchers said. For one, if Imunify360 is configured with real-time file system scanning, the attacker need only create a malicious file in the system, they noted. Or, the attacker could also provide a malicious file directly to the target, which would trigger an exploit when a user scans it with the Ai-Bolit scanner.

Those using Imunify360 to protect their Linux webservers should upgrade to the latest version of the platform – which contains a patch – to prevent successful cyberattacks.

Marcin “Icewall” Noga of Cisco Talos is credited with discovering the bug.

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Suggested articles